For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Henrik_Gyllkran's avatar
Henrik_Gyllkran
Icon for Nimbostratus rankNimbostratus
Nov 05, 2015

In the scenario with LTM that's typically not any problems, that's what the LTM is used for. Sure, there can be things that needs to be done for your particular implementation - maybe the HTTP Host needs to be rewritten to the internal name for the vhost on the server to accept the requests, maybe absolute URL:s are hardcoded in the application and needs to be rewritten on responses to point to the external name. That's all details that can be solved though.

 

As for the scenario with APM, that's pretty much what the APM does. It has multiple SSO methods, and among them is for the BIG-IP to POST a request to the logon form of the server with the same credentials (or modified credentials if that is a requirement). It's fairly simple if you know how.

 

So whether you should use LTM or APM, or both if you want preauthentication and loadbalancing, is simply a matter of deciding if you trust the application to handle the client requests before they are authenticated or not.